chore(jetty): upgrade jetty to 9.4.46 for CVE (#4857)

2025-12-24 08:28:12 +00:00 · 2022-05-06 16:18:20 -05:00 · 2022-05-06 16:18:20 -05:00 · d70df06c21
commit d70df06c21
parent 6ced69cf31
5 changed files with 20 additions and 9 deletions
--- a/build.gradle
+++ b/build.gradle
@ -85,7 +85,7 @@ project.ext.externalDependency = [
    'javaxValidation' : 'javax.validation:validation-api:2.0.1.Final',
    'jerseyCore': 'org.glassfish.jersey.core:jersey-client:2.25.1',
    'jerseyGuava': 'org.glassfish.jersey.bundles.repackaged:jersey-guava:2.25.1',
-    'jettyJaas': 'org.eclipse.jetty:jetty-jaas:9.4.32.v20200930',
+    'jettyJaas': 'org.eclipse.jetty:jetty-jaas:9.4.46.v20220331',
    'jgrapht': 'org.jgrapht:jgrapht-core:1.5.1',
    'jsonSchemaAvro': 'com.github.fge:json-schema-avro:0.1.4',
    'jsonSimple': 'com.googlecode.json-simple:json-simple:1.1.1',
--- a/datahub-frontend/app/security/AuthenticationManager.java
+++ b/datahub-frontend/app/security/AuthenticationManager.java
@ -1,9 +1,7 @@
 package security;

 import com.google.common.base.Preconditions;
-import org.apache.commons.lang3.StringUtils;
-import play.Logger;
-
+import java.util.Collections;
 import javax.annotation.Nonnull;
 import javax.naming.AuthenticationException;
 import javax.naming.NamingException;
@ -13,6 +11,11 @@ import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
+import org.apache.commons.lang3.StringUtils;
+import org.eclipse.jetty.jaas.JAASLoginService;
+import org.eclipse.jetty.jaas.PropertyUserStoreManager;
+import play.Logger;
+

 public class AuthenticationManager {

@ -23,10 +26,18 @@ public class AuthenticationManager {
  public static void authenticateUser(@Nonnull String userName, @Nonnull String password) throws NamingException {
    Preconditions.checkArgument(!StringUtils.isAnyEmpty(userName), "Username cannot be empty");
    try {
+      JAASLoginService jaasLoginService = new JAASLoginService("WHZ-Authentication");
+      PropertyUserStoreManager propertyUserStoreManager = new PropertyUserStoreManager();
+      propertyUserStoreManager.start();
+      jaasLoginService.setBeans(Collections.singletonList(propertyUserStoreManager));
+      JAASLoginService.INSTANCE.set(jaasLoginService);
      LoginContext lc = new LoginContext("WHZ-Authentication", new WHZCallbackHandler(userName, password));
      lc.login();
    } catch (LoginException le) {
      throw new AuthenticationException(le.toString());
+    } catch (Exception e) {
+      // Bad abstract class design, empty doStart that has throws Exception in the signature and subclass that also
+      // does not throw any checked exceptions. This should never happen, all it does is create an empty HashMap...
    }
  }

--- a/docker/datahub-gms/Dockerfile
+++ b/docker/datahub-gms/Dockerfile
@ -15,9 +15,9 @@ RUN apk --no-cache --update-cache --available upgrade \
      echo >&2 "Unsupported architecture $(arch)" ; exit 1; \
    fi \
    && apk --no-cache add tar curl openjdk8-jre bash coreutils gcompat \
-    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.4.20.v20190813/jetty-runner-9.4.20.v20190813.jar --output jetty-runner.jar \
-    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-jmx/9.4.20.v20190813/jetty-jmx-9.4.20.v20190813.jar --output jetty-jmx.jar \
-    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-util/9.4.20.v20190813/jetty-util-9.4.20.v20190813.jar --output jetty-util.jar \
+    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.4.46.v20220331/jetty-runner-9.4.46.v20220331.jar --output jetty-runner.jar \
+    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-jmx/9.4.46.v20220331/jetty-jmx-9.4.46.v20220331.jar --output jetty-jmx.jar \
+    && curl https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-util/9.4.46.v20220331/jetty-util-9.4.46.v20220331.jar --output jetty-util.jar \
    && wget https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.4.1/opentelemetry-javaagent-all.jar \
    && wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.16.1/jmx_prometheus_javaagent-0.16.1.jar -O jmx_prometheus_javaagent.jar \
    && cp /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts /tmp/kafka.client.truststore.jks \
--- a/metadata-integration/java/spark-lineage/README.md
+++ b/metadata-integration/java/spark-lineage/README.md
@ -130,7 +130,7 @@ YY/MM/DD HH:mm:ss INFO McpEmitter: REST Emitter Configuration: Token XXXXX
 ```
 On pushing data to server
 ```
-YY/MM/DD HH:mm:ss INFO McpEmitter: MetadataWriteResponse(success=true, responseContent={"value":"<URN>"}, underlyingResponse=HTTP/1.1 200 OK [Date: day, DD month year HH:mm:ss GMT, Content-Type: application/json, X-RestLi-Protocol-Version: 2.0.0, Content-Length: 97, Server: Jetty(9.4.20.v20190813)] [Content-Length: 97,Chunked: false])
+YY/MM/DD HH:mm:ss INFO McpEmitter: MetadataWriteResponse(success=true, responseContent={"value":"<URN>"}, underlyingResponse=HTTP/1.1 200 OK [Date: day, DD month year HH:mm:ss GMT, Content-Type: application/json, X-RestLi-Protocol-Version: 2.0.0, Content-Length: 97, Server: Jetty(9.4.46.v20220331)] [Content-Length: 97,Chunked: false])
 ```
 On application end
 ```
--- a/metadata-service/war/build.gradle
+++ b/metadata-service/war/build.gradle
@ -31,7 +31,7 @@ configurations {
 }

 dependencies {
-  jetty8 "org.eclipse.jetty:jetty-runner:9.4.18.v20190429"
+  jetty8 "org.eclipse.jetty:jetty-runner:9.4.46.v20220331"
 }

 task run(type: JavaExec, dependsOn: build) {